Ever since the GCash “glitch” happened last week, I was swamped with messages from friends and family members asking my opinion on what really happened. I gave them my honest opinion, but little did they know that I actually made an informal survey with ten (10) delivery riders and ridesharing drivers whose GCash accounts were debited last 08 May 2023. The amounts debited from their respective accounts (based on their claim when I spoke to them) range from PHP1,000 to PHP10,000. I just hope these amounts were returned to them already.
With my not-so-scientific study, I asked these GCash users what apps they have installed on their devices running the FinTech app. Aside from the delivery/ridesharing apps that they use, they also have social media (Facebook and Facebook Messenger), other FinTech apps, and some mainstream mobile games.
I asked them if by any chance they had clicked on any link that they received via SMS or social media (direct messages) from complete strangers, and none of them will admit it. But when I asked if they are into online betting/gambling, all of them have me a resounding “YES” answer.
Bingo! Not that they are all playing Online Bingo, but aside from third-party gambling apps that they got from the legitimate app store of their device OS, they also play betting apps/games that can be accessed from the GCash itself. One even said that the gambling app that he use was downloaded elsewhere and was installed directly on his smartphone — pretty scary, huh. They all admitted to using these gambling/betting apps to pass the time when waiting for their next delivery or picking up their next passenger.
While stuck in traffic, I further probed my rideshare driver — who claims to have “lost” around PHP8,000 during the GCash glitch — about the mechanics of these gambling apps and he did mention that you need to “link” your GCash account to top-up with these betting apps. Once the linking process is done, topping up your betting account is just a breeze it will not even ask for an OTP as he claimed. Boom! It could be the answer that we are all looking for.
I will repeat what I posted on my FB page days ago: I still believe that this is NOT a hacking incident on GCash, but it is (highly) probable that either (1) these GCash users’ smartphones or accounts were compromised by some sort of a sophisticated phishing-like attack; (2) there was a glitch or bug with the payment module used by at least one of the betting/gambling apps that they use and this led to the unauthorized debit transactions; or (3) any of these betting/gambling apps have gone rouge and was just waiting for the right time to drop a dangerous payload to their unsuspecting users’ devices.
If what happened to GCash was indeed a hacking incident, then why did only a fraction (not even 0.05% of its more than 80 million users) experience being debited with various amounts last week? Also, if not for the bank secrecy law, I wish the banks involved will reveal who owns the accounts that served as recipients for these unauthorized transactions. Could they be owned by any of these online betting/gambling app companies?
Cybersecurity Firm to FinTech Companies
A 2021 study conducted by the multinational cybersecurity firm Kaspersky showed that Filipinos are aware of the dangers brought about by phishing in digital payments and believed that antivirus software is required to protect their money and data online.
In 2022, Kaspersky blocked 822,536 financial phishing targeting businesses in Southeast Asia (SEA), of which nearly 52,914 financial phishing incidents are targeting users in the Philippines.
“The recent multi-million incident involving a top digital wallet provider in the Philippines shows two things: (1) that cybercriminals continue to target fintech institutions and (2) that securing these convenient technologies is really a shared responsibility. Clearly, we have seen in this unfortunate incident that the effect of a successful phishing attack can result in identity theft, financial loss, and reputational damage for both individual consumers and businesses,” according to Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky.
The cybersecurity firm continues to urge FinTech companies to:
- To prevent more implications of a phishing attack, like data breaches, Kaspersky suggests deploying a comprehensive defensive concept that equips, informs, and guides corporate teams in their fight against the most sophisticated and targeted cyberattacks like the Kaspersky Extended Detection and Response (XDR) platform.
- Remind employees about the basic signs of phishing emails — a dramatic subject line, mistakes and typos, inconsistent sender addresses, and suspicious links.
- Always report phishing attacks. If one spots a phishing attack, report it to your IT security department and, if possible, avoid opening the malicious email. This will allow cybersecurity teams to reconfigure anti-spam policies and prevent incidents.
- Supply employees with basic cybersecurity knowledge. Education should be aimed at changing the behavior of learners and teaching them how to deal with threats.
- Since phishing attempts can be confusing, and there’s no guarantee of avoiding all accident clicks, protect working devices and enterprise perimeters with a holistic cybersecurity expert.